Skillv1.0.8

ClawScan security

Plan Flow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 2:41 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (AI-assisted development) mostly matches its requirements (git, gh), but its runtime instructions contain inconsistencies and a quietly persistent 'ledger' that records project memory without clear consent — this creates a risk of unexpected automatic changes or sensitive information being written to the repo.
Guidance: Key things to consider before installing: - Ledger behavior: The skill documents a persistent 'flow/ledger.md' that is updated silently and used to influence future behavior. Ask the author how ledger entries are controlled, whether sensitive content is filtered, and how to disable ledger recording. Prefer not to enable this on repositories that contain secrets or proprietary logic. - Autopilot / automated actions: The top-level SKILL.md encourages automated runs and even says 'Never ask "Ready to create plan?" — just do it.' but other files contain contradictory checkpoints. Confirm whether the agent will actually modify files, run builds, or make commits without explicit user approval. If you require explicit approval before changes, do not enable autopilot. - Storage of API keys: The README suggests creating .plan-flow.yml with an anthropic_api_key example. Do NOT commit API keys to the repo; instead store provider keys in a secure secret store or environment variables and add .plan-flow.yml to .gitignore. Ask the author for a secure configuration alternative. - GitHub CLI auth: review what gh auth scopes you grant. The skill requires gh for PR review; ensure the token/account used has minimal necessary scopes. - Test in an isolated repo: Try the skill in a disposable repository first to observe behavior (file writes, commits, whether ledger populates, autopilot actions). Verify no automatic commits or pushes occur unless you explicitly approve. - Clarify inconsistencies: The SKILL.md set contains contradictory rules about auto-chaining and when to pause. Ask the maintainer to clarify intended autopilot behavior and how to opt out of any background logging. If you are uncomfortable with a silent, persistent ledger or any automatic file-modifying behavior, do not install or enable autopilot until you have explicit controls (ability to opt out of ledger, disable autopilot by default, and require explicit consent before code changes or commits).

Review Dimensions

Purpose & Capability: noteName and features align with requiring git and gh for repo and PR work. The skill's commands (setup, discovery, plan, execute, review, tests) reasonably map to those tools. However, the inclusion of a silent, always-active project ledger (persistent memory) is more than a simple workflow helper and expands the skill's scope beyond pure planning/execution.
Instruction Scope: concernSKILL.md instructs the agent to automatically run multi-step workflows, create and modify files (plans, contracts, code, test files), run builds, and 'silently' capture learnings to flow/ledger.md. There are contradictory rules across files (e.g., main doc: 'Never ask "Ready to create plan?" — just do it.' vs. flow/SKILL.md's mandatory checkpoints and create-plan's 'Do NOT auto-invoke /execute-plan'). The instructions grant broad discretion to read/write project files and perform build/commit-related actions — this can lead to unexpected code changes or recording of sensitive content without explicit, consistent consent.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is lower risk from an installation vector perspective.
Credentials: noteThe skill declares no required environment variables, which is consistent with an instruction-only skill. However, the Configuration section recommends creating a .plan-flow.yml containing an anthropic_api_key (example shown) — storing API keys in a repo file is discouraged and not enforced/validated. The skill also requires gh authentication for PR review; that is expected but users should be aware of auth scopes granted to gh.
Persistence & Privilege: concernAlthough registry flags show always: false, the SKILL.md explicitly documents an 'Always-Active Feature' (Project Ledger) and ledger/SKILL.md states the ledger 'operates silently in the background' and will read/apply learnings and record new entries. That is inconsistent with the declared privileges and effectively gives the skill persistent, background write/read access to the repo. This combination (silent ledger + automatic workflow language + file creation) increases the chance of unwanted persistent changes or leaking repository-specific information into flow/ledger.md.